There’s a gaping hole in thousands of unsuspecting people’s computers that lets any random internet passerby not only look over their shoulder but reach through to take over their systems.

The hole is caused by a remote access tool: specifically, unsecured use of a product known as Virtual Network Computing (VNC).

VNC is actually a handy application that lets us remotely share our desktops with others – be they colleagues, those giving us software demonstrations, or remote administrators helping us diagnose system problems.

But if VNC isn’t locked down with a strong, unique password, the list of who can remotely view and control our computer systems remotely can also potentially include eavesdroppers or intruders looking to compromise computers.

Also, it can include security engineers assessing what’s exposed on the internet that shouldn’t be.

At Defcon on Sunday, security engineers Dan Tentler and Paul McMillan fit into that last category.

During their 1-hour talk, Tentler and McMillan scanned for computers running remote access software without a password.

In just that brief time, the results poured in as the pair discovered thousands of computers on port 5900 using unsecured VNC for remote access.

According to Forbes’s Kashmir Hill, the total number of unsecured VNC instances the pair discovered in 1 hour likely exceeded 30,000.

On Thursday, McMillan’s Twitter stream was showing an assortment of links to screen grabs that illustrate what things people are leaving wide open.

The tweets included screenshots that seem to pertain to oil or natural gas wells in Texas, another of what looked like the schematic for an Italian hydroelectric plant and this one (blurred by Naked Security) of a Novell ConsoleOne administration window – an application for managing an entire computer network and all its resources:

@PaulM

This would be the one machine you would leave unsecured to the public internet, right?

Forbes’s Hill reports that at Defcon, she also got an eyeful of screenshots that showed people:

checking Facebook

playing video games

watching Ender’s Game

reading Reddit

Skyping

reviewing surveillance cameras

shopping on Amazon

reading email

editing price lists and bills

watching porn

…as well as access screens for these things:

pharmacies

point of sale systems

power companies

gas stations

tech and media companies

a cattle-tracking company

hundreds of cabs in Korea

Hill actually called one of the pharmacies. They were reportedly horrified to find out that anybody could review their patients’ prescriptions.

Because this isn’t just about viewing, it’s about people being able to take over those systems and do things like change a power company’s settings or flip through a company’s business records.

I’d like to think that the researchers contacted all the computers’ owners, asked their forgiveness for accessing their computers and private data without permission and then gave them a chance to secure themselves before revealing anything to the world.

That seems highly unlikely, perhaps even impossible, but that is the standard of responsible disclosure that we’ve come to expect of security researchers exposing vulnerabilities.

So how can you minimise your exposure to this kind of backdoor access? The rules are simple:

The pharmacist whom Hill called immediately contacted his software vendor, who was shocked to discover there was a way around the firewall and immediately turned off the VNC settings on the drug terminals.

Unfortunately, the chances that a helpful security reporter or security researcher is going to call to let us know that we’re leaving our systems exposed is slim to none.

Most of us have to strap this stuff down ourselves, and urge others to do the same.

NB. We have to say it: please don’t try this at home. Or at work. Just because you can connect without a password to someone’s computer system doesn’t mean you are allowed to. It’s not like trespass, which in many jurisdictions is a civil matter. Many, if not most, countries have laws making it a criminal offence to access a computer without authorization. Your motivation probably won’t be enough to get you off the hook if someone decides to investigate and you end up facing criminal charges.

Post navigation

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.

12 comments on “Thousands of computers open to eavesdropping and hijacking”

You should see it in Add/Remove Programs (older Windows version) or Progams and Features in the Control Panel if it was legitimately installed.

If it was sneakily installed by malware (some malware has carried around copies of VNC as a backdoor tool) then a decent anti-virus ought to tell you.

And an anti-virus with Application Control (like Sophos – you can block apps that you might not want for safety/security reasons, as well as outright malware) will very likely offer to stop it running if you never wanted it in the first place.

VNC is only available if you installed it. This isn’t a default Windows setting or anything. It’s a remote access tool used for all kinds of things. If you have no idea how to access it, chances are you haven’t installed it.

That’s a rather narrow perspective. Many people use computers that have been set up by others. Examples: a friend or relative, some geek from IT, a previous owner, or a local computer shop. Trusting to “chances are” isn’t a security-minded response.

Exactly. I work from home and we regularly use TeamViewer to connect to customer computers. Because that software is technically capable of sharing my own screen, I close it the second I’m finished using it. “If you don’t need it, don’t run it” was good advice.

In Windows there is Remote Desktop, Windows Remote Management, and Windows Remote Management – Compatibility mode (HTTP – in). Depends on which version of Windows. These should be turned off, one way is in Windows Firewall.